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DETAILED ACTION 

A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 
12/14/2005 has been entered. 

Claims 1-3 and 5-33 are pending. Applicant's arguments have been considered, 
but are moot in view of new grounds of rejection presented below. 

Claim Objections 

Claims 1, 5-6, 22, 27, and 30 objected to because of the following informalities: 

1 . As per claim 1 , in line 6, the examiner believes applicant meant to recite "variant 
at least second security policy" instead "at least second variant security policy" 
and "disparate at least second subsection" instead of "at least second disparate 
subsection". 

2. Claims 5, 6, and 27 recites "the at least first and second". The examiner believes 
applicant meant "the at least first and at least second". 

3. Claim 22 recites in line 3, "at least first and second variant security policies". The 
examiner assumes applicant meant "variant at least first and at least second 
security policies". Note later in the claim applicant refers to "at least first security 
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policy" and "at least second security policy", not "at least second variant security 
policies". 

4. Claim 22 recites in line 5, "at least first and second disparate security regions". 
The examiner assumes applicant meant "disparate at least first and at least 
second security regions". Note later in the claim applicant refers to "at least first 
security region" and "at least second security region". 

5. Similar corrections as claim 22 are recommended for claim 30. 

6. Appropriate correction is required. 

Claim Rejections - 35 USC §112 

The following is a quotation of the first paragraph of 35 U.S.C. 112: 

The specification shall contain a written description of the invention, and of the manner and process of 
making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the 
art to which it pertains, or with which it is most nearly connected, to make and use the same and shall 
set forth the best mode contemplated by the inventor of carrying out his invention. 

Claims 30-33 are rejected under 35 U.S.C. 112, first paragraph, as failing to 
comply with the enablement requirement. The claim(s) contains subject matter which 
was not described in the specification in such a way as to enable one skilled in the art to 
which it pertains, or with which it is most nearly connected, to make and/or use the 
invention. 

Claims 30-33 are rejected under 35 U.S.C. 112, first paragraph, as failing to 
comply with the written description requirement. The claim(s) contains subject matter 
which was not described in the specification in such a way as to reasonably convey to 
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one skilled in the relevant art that the inventor(s), at the time the application was filed, 
had possession of the claimed invention. 

1 . Claim 30 has been amended to recite "a third data field that links the at least first 
security policy to the at least first security region and the at least second security 
policy to the at least second security region". The examiner respectfully submits 
that one of ordinary skill would not understand from applicant's disclosure how 
one single field, i.e. the third field, would link both the at least first security policy 
to the at least first security region and the at least second security policy to the at 
least second security region. 

2. The examiner submits that it does not appear that the data structure as currently 
recited in claim 30 was originally disclosed by applicant in the specification when 
the current application was originally filed. Note that on page 18, starting at line 
2, applicant discloses an example data structure that is to be used in applicant's 
invention. This data structure can further be seen on in Fig 5 of the drawings. 
The data structure does not seem to correspond with the data structure recited in 
claim 30 nor does the examiner see any other data structure disclosed in the 
specification that would correspond to the data structure as currently recited in 
claim 30. The amendment to claim 30 will not be entered as it appears to be new 
matter. 

3. Any claims not specifically addressed are rejected by virtue of dependency. 
The following is a quotation of the second paragraph of 35 U.S.C. 112: 
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The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

Claims 2-3, 5, 8-9, 13-14, and 29 are rejected under 35 U.S.C. 112, second 

paragraph, as being indefinite for failing to particularly point out and distinctly claim the 

subject matter which applicant regards as the invention. 

1 . Claim 2 recites "the hierarchical data structure". It is unclear to which 
hierarchical data structure of the "at least one hierarchical data structure" of claim 
1 is being referred. 

2. As per claim 5, it is unclear what it means for security policies to be mapped from 
within and from outside the data store. 

3. Claim 8 recites the limitation that "the Access Control List can be associated with 
a holding relationship of a containment hierarchy". The language used therein 
seems to imply an intended use for the Access Control List, thus the metes and 
bounds of the claim is unclear. 

4. Claim 9 recites the limitation that there is "a plurality of Access Control Lists to 
facilitate security for the containment hierarchy". The language used therein 
seems to imply an intended use for why there should be a plurality of Access 
Control Lists. However, it is unclear if applicant meant for there to actually be 
any facilitation of security for the containment hierarchy due to the plurality of 
Access Control Lists. 

5. As per claims 13 and 14, it is unclear how a system can comprise an algorithm. 
The examiner suspects applicant may have meant that the system utilizes the 
algorithms recited in claims 13 and 14. 
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6. Claim 29 recites " the one or more disparate second security policies" in line 6, 
which lacks antecedent basis. It is unclear if it is meant to refer back to "one or 
more disparate second security policies" recited in lines 3-4. 

7. Any claims not specifically addressed are rejected by virtue of dependency. 

Claim Rejections - 35 USC § 101 

35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

Claims 1-3, 5-20, and 29-33 are rejected under 35 U.S.C. 101 because the 
claimed invention is directed to non-statutory subject matter. 

1. Claim 1 is directed towards a system comprising a data store and a security 
component. Both the data store and the security components are software (see 
specification p6, lines 5-7 and p25, lines 1-11), thus the system of claim 1 is 
directed towards software per se and is not statutory. Applicant must recite a 
hardware component for the system of claim 1 for claim 1 to be statutory. Claims 
2-3 and 5-20 are dependent on claim 1 and either further defines the software 
components of the system of claim 1 or further recites other components of the 
system which are also disclosed in the specification as being implemented as 
software. Thus claims 2-3 and 5-20 also are not statutory because they are 
directed towards software per se. 

2. Claim 29 as recited is directed to software per se and is not statutory since the 
means which the system of claim 29 comprises are all disclosed in the 
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specification as software means. Applicant must recite either hardware or a 
means which is disclosed in the specification as hardware (and is not disclosed 
as capable of being implemented as entirely software) as part of the system of 
claim 29 for claim 29 to be statutory. 
3. Claim 30 as recited appears to be directed towards non-functional descriptive 
material stored in memory. Note that the definition of "data structure" is "a 
physical or logical relationship among data elements, designed to support 
specific data manipulation functions". What applicant is calling a data structure in 
claim 30 is mere arrangement of data, thus is non-functional descriptive material. 
Claims 31-33 are also not statutory because the data fields defined in claims 31- 
33 also are non-functional descriptive material because they do not define a 
physical or logical relationship among data elements, designed to support 
specific data manipulation functions. For the computer readable medium of claim 
30 to be statutory, applicant must specify in the claim how the fields of claim 30 
specify a relationship designed to support a data manipulation function and 
specify what data manipulation function the data structure is meant to support. 



Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public 
use or on sale in this country, more than one year prior to the date of application for patent in the United 
States. 
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(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

Claims 1-3, 5-10, 18-22, 25-27, and 29 are rejected under 35 U.S.C. 102(b) as 
being anticipated by Carter et al (US 5,987,506). 
Claim 1: 

Carter discloses: 

1 . A data store that includes at least one hierarchical data structure that comprises 
a plurality of data items (Fig 1, Fig 2, and col 6, lines 3-40). 

2. A security component that applies at least a first security policy to at least a first 
subsection of the data store and variant at least a second security policy to 
disparate at least a second subsection of the data store (col 4, lines 41-50 and 
col 41, lines 7-20). 

The examiner has interpreted the term data store to mean anything that is being 
used to store data, i.e. databases, networks, hard drives, memory, etc. 
Claim 2: 

Carter further discloses the hierarchical data structure is at least one of a tree 
structure and a containment hierarchy (Fig 2). 
Claim 3: 
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Carter further discloses the containment hierarchy is modeled as a Directed 
Acyclic Graph (DAG) (Fig 2). 
Claim 5: 

Carter further discloses the at least first and the at least second security policies 
are at least one of mapped from within the data store (col 4, lines 40-50) and mapped 
from outside the data store (col 41 , lines 29-32). 
Claim 7: 

Carter further discloses the security component includes an Access Control List 
having one or more Access Control Entries (col 41 , lines 7-50). 
Claim 8: 

Carter further discloses the Access Control List can be associated with a holding 
relationship of a containment hierarchy (Fig 3). 
Claim 9: 

Carter further discloses a plurality of Access Control Lists to facilitate security for 
the containment hierarchy (col 41, lines 29-37). 
Claim 10: 

Carter further discloses the security component specifies a set of principals that 
are granted or denied access to perform operations on an item (col 41, lines 29-37). 
Claim 18: 

Carter further discloses a security table, i.e. ACL, for similarly protected security 
regions (col 41, lines 6-50). 
Claim 19: 
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Carter further discloses the security table includes at least one of the following 
fields an Item Identity, an Item Ordpath, an Explicit Item, a Path ACL, and a Region ACL 
(col 41, lines 29-37). 
Claim 20: 

Carter further discloses a component that does at least one of create a new item 
in a container, add an explicit ACL to an item, add a holding link to an item, delete a 
holding link from an item, delete an explicit ACL from an item and modify an ACL 
associated with an item (col 41, lines 29-39). 
Claim 21: 

Claim 21 is directed towards a computer readable medium having computer 
readable instructions stored thereon for implementing the security component of claim 1 
and is rejected for the reasons given in claim 1. 
Claim 22: 

Claim 22 as recited is directed towards a computer-implemented method to 
facilitate data item security. The examiner asserts that the steps of the method recited 
in claim 22 are the steps necessary to implement the system recited in claim 1. As 
such, the limitations recited in claim 1 are rejected for substantially the same reasons 
given in claim 1. 
Claim 25: 

Carter further discloses processing security polices for at least one of a tree 
structure and a containment hierarchy (Fig 2 and col 40, lines 41-51). 
Claim 26: 
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Carter further discloses mapping a security policy to a security region from a 
remote location from a database (col 4, lines 40-50). 
Claim 27: 

Carter further discloses the at least first and the at least second security policies 
are associated with an Access Control List having one or more Access Control Entries 
(col 41, lines 6-50). 
Claim 29: 

Claim 29 is directed towards a system with means for implementing the steps of 
the method of claim 22 and is rejected for the same reason given in claim 22. 

Claims 30-33 are rejected under 35 U.S.C. 102(e) as being anticipated by Belani 
etal (US 6,772,350). 
Claim 30: 

Belani discloses a computer readable medium having a data structure stored 
thereon, comprising: 

1. A first data field related to a security region associated with a data store 
containing at least one hierarchical data structure (col 6, lines 63-66). 

2. A second data field that relates to a security policy (col 6, lines 50-62). 
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A third data field that links the security policy to the security region must 
inherently exist in Belani's invention or there would be no way to associate the security 
region with a security policy. 
Claim 31: 

Belani further discloses a field for an access mask specifying at least one of 
object-specific access rights, standard access rights, and generic access rights (col 7, 
lines 42-48 and Fig 4). 
Claim 32: 

Belani further discloses a security field for similarly protected security regions 
(Fig 3, item 56). 
Claim 33: 

Belani further discloses the security field includes at least one of an Item Identity, 
an Item Ordpath, an Explcit Item, a Path ACI, and a Region ACL (Fig 3, item 56). 

Claim Rejections • 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 6, 11, 17, and 23 are rejected under 35 U.S.C. 103(a) as being 

unpatentable over Carter et al (US 5,987,506) in view of Belani et al (US 6,772,350). 
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Claim 6: 

Carter discloses the at least first and the at least second security polices are at 
least one of explicitly mapped to an item (col 4, lines 40-50 and col 41, lines 21-50). 
Carter does not explicitly disclose security policies are inherited by an item. 

However, Belani discloses security polices being inherited by an item (col 6, lines 
50-61). At the time applicant's invention was made, it would have been obvious to one 
of ordinary skill in the art to modify Carter's invention using Belani's teachings according 
to the limitations recited in claim 6. One of ordinary skill would have been motivated to 
do so because Belani's teachings would allow Carter to be able to more efficiently 
control access to resources in a distributed computing environment, i.e. such as that 
found in Carter's invention (Carter: Fig 1). 
Claim 11: 

Carter does not disclose the following limitation, but it is disclosed by Belani: "the 
security component includes at least one of discretionary access control list, a system 
access control list, and a security identifier (col 5, lines 8-12 and col 6, lines 63-66). At 
the time applicant's invention was made, it would have been obvious to one of ordinary 
skill in the art to modify Carter's invention according to the limitations recited in claim 1 1 
in light of Belani's teachings. One of ordinary skill would have been motivated to 
incorporate Belani's teachings for the same reasons given in claim 6. 
Claim 17: 

Carter does not disclose the security component further comprises an access 
mask specifying at least one of object-specific access rights, standard access rights, 
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and generic access rights. However, Belani discloses the limitation (col 7, lines 42-48 
and Fig 4). At the time applicant's invention was made, it would have been obvious to 
one of ordinary skill in the art to modify Carter's invention according to the limitations 
recited in claim 17. One of ordinary skill would have been motivated to incorporate 
Belani's teachings within Carter's invention for the same reasons given in claim 6. 
Claim 23: 

Carter discloses automatically supporting at least one explicit security policy (col 
4, lines 40-50 and col 41 , lines 21-50). Carter does not explicitly disclose supporting 
inherited security policy. 

However, Belani discloses supporting inherited security policy (col 6, lines 50- 
61). At the time applicant's invention was made, it would have been obvious to one of 
ordinary skill in the art to modify Carter's invention using Belani's teachings according to 
the limitations recited in claim 23. One of ordinary skill would have been motivated to 
incorporate Belani's teachings within Carter's invention for the same reasons given in 
claim 6. 

Claims 12, 15, 16, 24, and 28 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Carter et al (US 5,987,506) in view of Dennis et al (US 6,466,932). 
Claim 12: 

Carter does not explicitly disclose an ordering component that arranges one or 
more Access Control Entries (ACE) in an Access Control List (ACL) to determine a 
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security policy that is enforced for an item. However, Dennis discloses this limitation 
(col 7, lines 7-11 and col 8, lines 26-31). 

At the time applicant's invention was made, it would have been obvious to one of 
ordinary skill in the art to modify Carter's invention according to the limitations recited in 
claim 12 in light of Dennis's teachings. One of ordinary skill would have been motivated 
to do so because Dennis teachings would allow for a way for an administrator to handle 
conflicting policies and manually set group security policies (col 7, lines 7-11). 
Claim 15: 

Carter further discloses a component that evaluates access rights for a given 
principal to a given data item (col 41, lines 41-50). 
Claim 16: 

Carter does not explicitly disclose the security component further comprises an 
effective access control list that is obtained by processing lists inherited by an item and 
adding inheritable access control entries in an explicit access control list. However, this 
limitation is disclosed by Dennis (col 7, lines 7-21). 

At the time applicant's invention was made, it would have been obvious to one of 
ordinary skill in the art to modify Carter's invention according to the limitations recited in 
claim 16. One of ordinary skill would have been motivated to incorporate Dennis's 
teachings in Carter's invention for the same reasons given in claim 12. 
Claim 24: 

Carter does not explicitly disclose automatically ordering security policies. 
However, Dennis discloses this limitation (col 8, lines 26-31). 
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At the time applicant's invention was made, it would have been obvious to one of 
ordinary skill in the art to modify Carter's invention according to the limitations recited in 
claim 24. One of ordinary skill would have been motivated to incorporate Dennis's 
teachings in Carter's invention for the same reasons given in claim 12. 
Claim 28: 

Carter does not explicitly disclose automatically arranging one or more Access 
Control Entries in the Access Control List to determine a security policy that is enforced 
for an item. However, Dennis discloses this limitation (col 8, lines 26-31). 

At the time applicant's invention was made, it would have been obvious to one of 
ordinary skill in the art to modify Carter's invention according to the limitations recited in 
claim 28. One of ordinary skill would have been motivated to incorporate Dennis's 
teachings in Carter's invention for the same reasons given in claim 12. 



Claims 13 and 14 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Carter et al (US 5,987,506) in view of Dennis et al (US 6,466,932) and further in 
view of Belani et al (US 6,772,350). 
Claim 13: 

Carter does not explicitly disclose the ordering algorithm as recited in claim 13. 
However, Belani discloses inherited ACL's on a data item, i.e. resource node (col 8, 
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lines 63-66). Further, Dennis discloses ranking the security policies in an access list 
(col 8, lines 26-31). These two teachings read on the algorithm as recited in claim 13. 

At the time applicant's invention was made, it would have been obvious to 
incorporate Dennis and Belani's teachings to further modify Carter's invention according 
to the limitations recited in claim 13. One of ordinary skill would have further motivated 
to include Belani's teachings for the same reasons given in claim 6. 
Claim 14: 

Carter does not explicitly disclose the ordering algorithm as recited in claim 14. 
However, Belani discloses inherited ACL's on a data item, i.e. resource node (col 8, 
lines 63-66). Further, Dennis discloses ranking the security policies in an access list 
(col 8, lines 26-31). These two teachings also read on the algorithm as recited in claim 
13. 

At the time applicant's invention was made, it would have been obvious to 
incorporate Dennis and Belani's teachings to further modify Carter's invention according 
to the limitations recited in claim 14. One of ordinary skill would have further motivated 
to include Belani's teachings for the same reasons given in claim 6. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Ponnoreay Pich whose telephone number is 571-272- 
7962. The examiner can normally be reached on 9:00am-4:30pm Mon-Fri. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on 571-272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 



Ponnoreay Pich 
Examiner 
Art Unit 2135 




